While I was working on a anomaly detection system (finding cheaters in a quite popular online game service) I accidentally found a way to get a password of a user in a reasonable amount of time. Basically, the whole idea to build an anomaly detection system was to apply for a job for that webservice and to provide my preliminary solution.

After finding this vulnerability I am thinking to apply there not only with a CV, but also with the detection system and explaining vulnerability as well. But here is a thing: I remember reading about a guy who found a problem in Yahoo! reported it and got rewarded, tried this with Facebook and got jailed.

Because I think that jail is not the best place for me, I would like to ask what are the chances of being charged with a crime?

To keep in mind

I am not working for that company

my main objective is to finish my cheat prediction classifier

the only passwords I tried to break were the passwords of my own dummy accounts

I want to work for that company

P.S I think that I did not make myself clear. I am working on a classifier to give a prediction, whether the person is cheating in the game or not and because this is a big problem for that service - I am planning to apply for a job, having this classifier as an additional plus for my CV. I accidentally found a vulnerability and thinking whether I should report it or no, and if yes, what problems can I face. It is going to be something like this, "here is the problem and here is what I think you should have done. If you want, I would like to work for you, but not as a security specialist (I do not have knowledge for this), but as a data-miner". Whether they will take me or not, I basically do not care.

It has nothing to do with the scenario: "I want to work for you and I know how to get a password of a user, so think twice before rejecting me."

This is NOT 'Ethical Hacking' - this is what is known as 'Grey Hat Hacking'.
–
schroeder♦Nov 13 '12 at 19:30

2

I am not familiar with a term, but according to Wikipedia "white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to "advise the hacker community as well as the vendors and then watch the fallout". I have not tried to advice anyone and basically I am going to tell company regarding this issue
–
Salvador DaliNov 13 '12 at 19:39

2

And neither colour hat is 'Ethical Hacking'. Ethical Hacking requires that the owners know about the hacking attempts before you start. That's the 'Ethical' part.
–
schroeder♦Nov 13 '12 at 19:41

Thank you very much for clarifying this.
–
Salvador DaliNov 13 '12 at 19:45

1

Please note that, given the TOS of most websites (and some government laws), hacking even your own account is (potentially) illegal, even if it results in no gain (material or otherwise) for you. And they only have your word that you only hacked your dummy accounts, too...
–
Clockwork-MuseNov 13 '12 at 22:54

4 Answers
4

-- Edit: This answer addressed the idea of applying for a job based on the discovery of a vulnerability. --

The chances are high that you would not get the job if you applied on the strength of the fact that you successfully hacked their user security. Trust me, if someone walked into an interview with me saying, "Oh, by the way, I found a hole in your systems, hacked it, and here is my fix," that person would be escorted out of the building and I would call the police.

Fully disclose the vulnerability to them and them alone, and work with them to close the problem. THEN open the discussion of being hired for more security work. Once you try to combine getting a job with disclosing a vulnerability, it could be interpreted as an extortion attempt.

As for the chances of legal action, it depends on your location, their location, the location of the webserver you tested, the severity of the breach, and (to some degree) the attitudes and policies of the affected organizations.

Thank you for using your time, answering my question. I modified my answer a little bit to be more precise, because I think I missed a point in my question
–
Salvador DaliNov 13 '12 at 20:22

3

Re: "that person would be escorted out of the building and I would call the police": Why's that?
–
ruakhNov 13 '12 at 21:34

@ruakh- because in many jurisdictions they could be breaking the law.
–
Rory Alsop♦Nov 13 '12 at 22:08

@ruakh - Because he hacked my service, found a vulerability, and will only fully disclose on certain conditions. The only ethical course of action is to fully disclose the problem to the company. Even waiting to be an employee would not be ethical.
–
RamhoundNov 15 '12 at 13:38

1

I don't know why there is a question here. The issue is with "and I hacked it". Finding a vulnerability is one thing. Crossing the line to exploit the vulnerability without consent shows lack of judgement, dangerous activity, lack of awareness of the law, and in my jurisdiction, breaking the law. Coupled with announcing it in a job interview where it could be interpreted as an extortion attempt means this person will never get a job with me, should be removed from the building, and the police called for the illegal acts. Period.
–
schroeder♦Nov 15 '12 at 16:13

There really isn't enough information here to make a determination about your question. Jurisdiction and exactly what went on with how you found a flaw in the security and how you tested it and what their terms of service (which define how you are allowed to use their computers and data) all matter. In general, "hacking" isn't what is legal or illegal, what is illegal is using other people's hardware or IP in a way which you are not licensed to do so.

If you were running an exploit against their hardware, then that was an intrusion, regardless of intent and they could go after you for it if they really wanted to. If you took data that they licensed only for a particular purpose and abused the data in a way you were not entitled, it may also be possible for them to go after you based on jurisdiction. If they provided data in the clear, without a license associated and you found a way to use that data to abuse their system on your own hardware, then you are probably safe since you did not use their hardware or licensed data to make your determination. But again, this can vary widely based on jurisdiction, so knowing your local laws is the best policy and IANAL.

As for practical advice about how to approach it. I would suggest that you not approach it as a proven vulnerability. Certainly providing your anti-cheat system sounds like a plus. You could also simply mention that you thought you saw something that might be exploitable when you were working on it and ask for their permission to either test it or let them test it. You might be best off to not mention the vulnerability at all though until after you get a job with them or get declined on the strength of your anti-cheat system alone. It is really hard to predict how people will react when a flaw is exposed by an outside party, even when reported responsibly. Many of the possible reactions wouldn't work in your favor, whether denial, anger or suspicion.

It is never acceptable to look for vulnerabilities in websites or services without permission. This is against the law, and rightfully so.

It is completely legal to look for vulnerabilities in your own system, and software that you are running. You could easily find an 0-day that affects many other people, and its legal to whatever you would like with this information. (You're free to pass on the vulnerability details as you like, but to actually use it to exploit a system without authorization is another story.) Making it public and obtaining a CVE number or selling it to the highest bidder.

Very few companies have a bug bounty program. Facebok and Google do, and they can pay quite well for a high impact vulnerability.

Thanks for information. But in my opinion there is a contradiction in your answer: "never acceptable to look for vulnerabilities in websites or services without permission" and "completely legal to look for vulnerabilities in your own system, and software that you are running". I am running their software (playing on their website) and my credentials can be stolen if somebody will figure out the way. To clarify, I am not asking for bounty.
–
Salvador DaliNov 13 '12 at 19:27

3

There is no contradiction in @Rook 's answer. You are running the software on THEIR server, which means you are hacking THEIR systems. The potential impacts on you do not give you license to circumvent their security, even if the goal is to tell them about it later.
–
schroeder♦Nov 13 '12 at 19:39

Nice to know about it. I am not trying to justify anything, but it sounds strange for me: it is like I have rent a car, opened a hood and found that there is an easy way to break it. But this is a misconduct, because I am not a creator of a car and have no right to see how it is working. Also it looks that researchers who found WEP vulnerability are also done the wrong thing, because they had no previous agreement with whoever created it.
–
Salvador DaliNov 13 '12 at 20:03

@Salvador Dali no its you car you can do whatever you want with it. I can write an 0-day for IE and sell it, that is completely legal. The problem is going to someone else's car and poking around.
–
rookNov 13 '12 at 20:05

1

It is never acceptable to look for vulnerabilities in websites or services without permission. That depends. There is a huge difference between observation and manipulation.
–
CypherNov 13 '12 at 22:55

Whether use of a website is legal or not is completely independent of whether or not you're looking for a vulnerability or even if you find one. What matters is whether or not you are using the website in a manner consistent with their terms. It does not matter why you're doing it.

For example, attempting to log in using someone else's password is probably not allowed and therefore illegal. However, reading through a page's Javascript looking for mistakes probably is perfectly legal. But then if you find something, if you attempt to test the vulnerability you found... well, probably back to illegal again.

Whether or not they press charges against you is their decision, but by breaking the law you've put yourself into a poor position to negotiate.

Now, if you have the site owner's explicit permission to look for vulnerabilities, well then you're back on the legal side again. Just be sure to get it in writing, as several notable figures have discovered.

thanks. So basically you are saying that I have to do something like this: 'hi, I was trying to build classifier and I think that you have a vulnerability in your service. Can I investigate more?'
–
Salvador DaliNov 14 '12 at 2:36

@SalvadorDali - The more ethical statement would be "hi, I was trying to build classifier and I think that you have a vulnerability in your service.....Here is everything I know about th vulnerability...." leave out the fact you tested it against your own accounts ( unless they ask ).
–
RamhoundNov 15 '12 at 13:42